Account Takeover: What is it and How Can I See it Coming?

By Ryan Wilk,
VP of Customer Success - NuData Security, a Mastercard company

How does account takeover (ATO) happen?

Account takeover starts days, weeks or months before the customer finds a fraudulent transaction. It starts when a fraudster buys a set of breached personal data such as username and password.

By running a script against your login interface, they can test thousands of username and password combinations per second and find the working pairs.

Once they find the “good” combinations, they either take over the accounts right there and then or resell those verified credentials for a higher price in the dark web, as once they verify them they become more valuable.

What type of data is used for an account takeover (ATO)?

The data required to take over an account depends on the information each site needs to verify their user. If in addition to username, password, the account requires a one-time code, or a biometrics verification (such as a fingerprint scan or iris scan), then the fraudster will need to access that information to take over the account.

One-time passwords (OTP) and physical biometrics are harder to access for the average fraudster, but someone specialized can get a hold of them or, for example, intercept an SMS with the one-time code (OTP).

What is loyalty fraud?

Also known as rewards fraud, rewards abuse, and interaction fraud, is when a fraudster cashes the legitimate user’s stored points rewards, miles – or another type of company-provided benefits – to make a monetary profit. This way of making a profit from account takeover has been gaining muscle because of its discretion.

How do I detect and stop account takeover?

Be proactive instead of reactive. Don’t wait for the attack to happen; start looking for the pre-ATO signs today. Monitor your login, account creation or password reset placements. Look for anomalous signs such as an account trying to be accessed several times in the last weeks. Or thousands of new accounts being created from one same IP, or state. Check if the same type of device is triggering these unusual attempts.

When you look into who is using your interface, whether successfully or not, you can stop account takeover before it ever enters your environment.